From January 2020 through May 2021, New York State Department of Financial Services (NYDFS) regulated companies reported in excess of 70 Ransomware attacks ranging from costly shutdowns to disruptions in business operations. Successful Ransomware attacks continue to escalate in total numbers and overall severity, with no sector safe from an attack. Government agencies, companies, educational institutions, and nonprofits are all targets.
More often than not, cyber criminals go unnoticed and wreak havoc long before any trace of their activity is detected and almost none are ever caught and punished. Lack of capture and prosecution in addition to the increased success of Ransomware attacks has emboldened cyber criminals to demand larger payments to unlock their victims’ systems, with no assurances that decryption keys will work or that sensitive data won’t be publicly leaked.
As the Department of Financial Services (DFS) noted in the Cyber Insurance Risk Framework in February 2021, the cost of Ransomware has also shaken up the cyber insurance market. Because of Ransomware, loss ratios on cyber insurance increased from an average of 42% during 2015-2019 to 73% in 2020. Increasing costs are impacting premiums and the scope of coverage.
On June 30, 2021, NYDFS issued new guidance on how to minimize the risk of Ransomware attacks. These new controls are officially said to be guidance, but NYDFS said that it, ‘expects regulated companies to implement these new controls whenever possible.’ Organizations that do follow the regulations of the NYDFS should consider implementing the new guidance as it is based on sound practices and if implemented may prevent a successful attack from occurring.
To get an idea of what you can do to help mitigate the risk of a Ransomware attack, here’s a smart way to start protecting your operations:
The latest NYDFS guidance speaks to industry best practices and is applicable to every organization throughout the country. This guidance puts forth nine controls aimed at preventing and/or responding to Ransomware attacks:
Employee awareness of their network security obligations and anti-phishing training, in particular, are critical. Required cybersecurity awareness training pursuant should include recurrent phishing training, including how to spot, avoid, and report phishing attempts.
Companies should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary.
Emails should be filtered to block spam and malicious attachments/links from reaching users.
Companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure. The program should include periodic penetration testing.
Timely remediation of vulnerabilities is essential and requires strong governance, including assignment and tracking of responsibilities. Vulnerability management should include requirements for timely application of security patches and updates. Wherever possible, regulated companies should enable automatic updates.
MFA protects user accounts and can prevent hackers from obtaining access to the network and from escalating privileges once in the network. MFA for remote access to the network and all externally exposed enterprise and third-party applications is required by NYDFS regulations.
All logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking.
Regulated entities should disable RDP access from the internet wherever possible. If, after assessing the risk, RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.
Regulated companies should ensure that strong, unique passwords are used. Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords.
Larger organizations with dozens or hundreds of privileged user and service accounts should strongly consider a password vaulting PAM (privileged access management) solution which requires employees to request and check out passwords. Password caching should be turned off wherever possible.
Regulated companies should implement the principle of least privileged access – each user or service account should be given the minimum level of access necessary to perform the job. Privileged accounts should be carefully protected. As noted above, privileged accounts should universally require MFA and strong passwords.
Companies should also maintain and periodically audit an inventory of all privileged accounts. Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc.
Privileged service accounts are a frequent source of compromise and should not be overlooked. Service accounts should have the same or more restrictive access controls as equivalent user accounts.
Regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity. Regulated companies should implement an Endpoint Detection and Response (“EDR”) solution, which monitors for anomalous activity. Advanced EDR can quarantine infected systems, potentially stopping Ransomware from executing before it can encrypt the endpoint. EDR can also facilitate incident response.
Companies with larger and more complex networks should also have lateral movement detection and a Security Information and Event Management (SIEM) solution that centralizes logging and security event alerting.
Regulated companies should maintain comprehensive, segregated backups that will allow recovery in the event of a Ransomware attack. To prevent hackers from deleting or encrypting backups, at least one set of backups should be segregated from the network and offline.
It is important to periodically test backups by actually restoring critical systems from backups – this is the only way to be sure the backups will actually work when needed.
Regulated companies should have an incident response plan that explicitly addresses Ransomware attacks. The plan should be tested, and the testing should include senior leadership – decision makers such as the CEO should not be testing the incident response plan for the first time during a Ransomware incident.
Any successful deployment of Ransomware on a regulated company's internal network should be reported as promptly as possible and within 72 hours at the latest. It also recommends that "any intrusion where hackers gain access to privileged accounts" should be reported.
These 9 security practices are well worth your consideration and implementation. Although they may initially create a heavy workload for your staff, they may in fact prevent a successful attack from occurring.
We are JANUS Associates, and our mission is dedicated to improving the information security of our clients, and society at large. In business since 1988, JANUS offers a full range of high-quality cyber security, privacy, and regulatory compliance services at affordable costs. We understand the challenges that organizations of all sizes face and we can help you achieve your information security goals regardless of your size.
Contact us today and speak with a JANUS cyber security professional.
 SEE CYBER INSURERS HIKE RATES BUT WORRY ABOUT PRICING LONG-TERM AS LOSSES MOUNT: FITCH, INSURANCE JOURNAL (MAY 27, 2021).